Windows users are in the crosshairs after a critical vulnerability in Zoom was actively exploited. The flaw, which affects multiple Zoom products on Windows, allows attackers to quietly escalate privileges, steal sensitive data, and burrow deeper into infected systems unless users update immediately.
According to MSN, this flaw affects multiple versions of Zoom products, all of which run on Windows clients. Given the severity of the now-patched flaw, Zoom has advised users of the video conferencing app to update their apps quickly to become immune to it.
Technical details of the vulnerability
Scoring 9.6/10 on the Common Vulnerability Scoring System(CVSS), with a CVE identifier of CVE-2025-49457, this Windows-only vulnerability is considered “critical.”
It uses defense-evasion tactics to obfuscate its identity so it gets trusted by the system. By loading itself into a Dynamic Link Library (DLL) path Windows already trusts, the malware abuses Windows’ inherent trust features and works its way deeper into the infected machine.
The flaw stems from how Zoom loads its DLL files. Zoom, which does not specify the path to its DLL files, left itself vulnerable to abuse, as attackers can drop malicious DLL files that appear identical to those used by Zoom. When Zoom requests a DLL file, Windows searches for it using its own search order, and if it happens to stumble upon the malicious file first, it loads it for Zoom.
The moment the DLL is loaded, the attacker does not need to have compromised Zoom and can abuse whatever privilege Zoom has on that Windows machine. It becomes even more concerning because many Zoom users run it in admin mode, which makes things easier for attackers.
MSN reports that, by abusing this flaw, attackers can “harvest sensitive files such as meeting recordings, contact lists, credentials, and similar. They could also pivot deeper into the corporate network, reaching domain controllers or high-value systems.”
For corporate organizations that have increasingly relied on Zoom for remote communications since the start of the COVID-19 pandemic, this can lead to a snowball effect of additional cyberattacks.
Individuals are not excluded from the effects. With privilege escalation, attackers can modify system settings, add a backdoor to make them harder to remove, and steal individuals’ files.
Zoom’s response to the flaw
Zoom has since addressed the flaw by releasing a patch. However, users who use any of these Zoom products running below version 6.3.10 are still susceptible to it:
- Zoom Workspace for Windows (the regular Zoom app for Windows)
- Zoom Workspace VDI for Windows ( made for virtual desktops)
- Zoom Meeting SDK for Windows (used by developers who build Zoom into their own apps)
- Zoom Rooms and Zoom Controller for Windows (the Zoom app used for conferences or events requiring large screen setups and their controllers)
The patch focused on loading DLL files using their absolute paths, ensuring that when Zoom requests its DLL files, Windows looks for them in the right places, preventing the malicious DLL from getting accidentally loaded. Windows users need to update their Zoom applications to get the patch.
The app, which can use many system resources, can be lethal when compromised. As a result, Windows users who use Zoom should immediately update their apps. Additionally, auto-updates should be left enabled so future updates happen without manual input.
For more information on solutions for running your businesses’ technology more efficiently, visit our website or contact Megan Meisner at mmeisner@launchpadonline.com or 813 448-7100 x210.
This was originally posted by TechRepublic.